What is COM Surrogate (dllhost.exe) and Why It Causes High CPU?

If you have recently opened the Task Manager on Windows, chances are, you have noticed several instances of COM Surrogate process running on your computer. For many computer users, the process name isn’t self-explanatory, nor is the filename (dllhost.exe) associated with them. Naturally, this raises questions like why this process is running and could it be a virus. In this article, we will explain the purpose of COM Surrogate, discuss common problems and errors related to it and how to fix them.

What is COM SURROGATE (dllhost.exe)?

COM Surrogate is an alternative name for dllhost.exe. COM stands for Component Object Model, and it is a Microsoft’s system for creating binary software objects that can interact with other objects. Software developers can be written in a variety of programming languages. The only requirement for the language is that it must allow creating structures of pointers and call functions through pointers. Because the COM standard is applied after the program has been translated into a binary machine code, it is sometimes referred to as binary standard.

To explain the purpose of COM in simple terms, it is a technology that allows objects to interact between different processes as easily as within one process. In other words, COM provides a language-neutral way to implement objects in environments different than the one they were created in.

A good example of Component Object Model usage is a Microsoft Word document that has an embedded spreadsheet. Whenever the data in spreadsheet is updated, it also updates in the MS Word document as well. The same spreadsheet can be reused in several documents.

Previously, if COM objects crashed, they would take down its host process. For this reason, Microsoft created COM Surrogate process to address this issue. The process hosts the COM object outside the original process that requested it and in case the COM object crashes, the original process continues running, and only the COM Surrogate will go down.

As suggested by Microsoft’s Raymond Chen, the process can be used in situations where the developer doesn’t feel sure about certain code. The problem can be solved by asking COM Surrogate to host it in another process to avoid unnecessary crashes. Therefore, COM Surrogate file name is dllhost.exe, as the objects it hosts are .dll files.

How to understand which object a COM Surrogate is hosting?

Although Windows Task Manager doesn’t provide information about specific COM objects hosted, you can check it using Microsoft’s tool named Process Explorer. Make sure you download it from the official Microsoft website as provided here and not some suspicious third-party websites. To understand which objects a specific dllhost.exe process is hosting, just hover your mouse over it.

Is COM Surrogate a virus?

COM Surrogate can, in fact, be a virus, because cybercriminals often try to disguise malicious processes under names of legitimate Windows processes in order to avoid drawing user’s attention to it. However, we will explain how you can figure out whether the instances of this process running on your computer are genuine or associated with malware.

Damage that COM Surrogate virus can cause

There are several examples of computer viruses that use dllhost.exe process to deliver payloads. Names of these malware variants are Poweliks, Artemis, Kovter, Sirefef.A, although there may possibly be more of Trojans/rootkits misusing the dllhost.exe process.

For example, the majority of these malware variants are considered fileless infections, since they run without any own file, but rather injects themself into legitimate processes like dllhost.exe.

These threats can disable security software, contact remote hosts and download additional malware on the system, carry out tasks according to remote attacker’s needs, or perform clickfraud.

Identify COM Surrogate virus easily

If you suspect that you have a COM Surrogate virus running on your computer which is often causing High CPU (100% disk) in Task Manager, we recommend checking its origins. One of the quickest ways to check whether you’re dealing with the real or fake dllhost.exe is to check its file location. Here’s how to do it:

1. Open Windows Task Manager by pressing CTRL+ALT+DEL and then click Task Manager.
2. Here, press C button repeatedly until you find COM Surrogate (it is a fast way to search by the first letter). Right-click the process and choose Open File Location option. TIP: You may need to check several processes, in case you see more than one COM Surrogate running on your PC).
3. Check if the process-associated file is located in C:/Windows\System32 or C:/winnt/system32. It indicates that you are dealing with the genuine process. If the file is located anywhere else, you might be dealing with a virus.

One way or another, the only way to assure that it is safe or malicious is to boot computer in Safe Mode and run your antivirus software. It will use signature-based or machine-learning detection model to identify whether the COM Surrogate virus is real or not. Our team recommends using INTEGO Antivirus for malware detection and removal.

How to avoid malware infections

In order to prevent fileless computer infections that might try to hijack legitimate processes like dllhost.exe, we suggest reading these recommendations:

• Keep your PC protected with an antivirus that has real-time protection feature.
• Do not download cracked software and other illegal content from online resources.
• Keep your operating system and installed software up-to-date (do not delay pending updates).
• Be careful when checking your email – do not open links or attachments sent by untrustworthy parties.
• Use strong passwords for RDP.

Common errors related to legitimate COM Surrogate process

People often worry about High disk usage caused by this process. However, just like Microsoft Compatibility Telemetry or other processes, it might use a lot of RAM due to certain issues. We suggest running a quick free scan with RESTORO to identify troublesome programs and malware-related issues on the system.

Do not stop or disable the legitimate dllhost.exe process

You cannot stop, disable or delete COM Surrogate file because it is an essential part of the whole Windows operating system. To be precise, it is responsible for smooth operation of COM objects and prevention of Windows Explorer crashes. These processes can be used by variety of programs (you may see several ones in WTM) to complete certain tasks outside the host process.

However, some users might feel the urge to disable the process due to certain problems caused by the process. In the majority of cases, the process will simply restart itself automatically. However, if you suspect that there is a serious or persistent problem with dllhost.exe, you may want to look deeper into it.

Typical COM SURROGATE issues

Although the original DLLHOST.EXE process is safe and legitimate, there are some issues related to it that cause regular headaches for Windows users. Some of the most common problems and errors related to it are:

COM Surrogate High CPU (high memory usage problem)

Many computer users report seeing an increased RAM usage by the said process. COM Surrogate high CPU might be caused due to a malware attack, corrupted files or outdated codecs. One way or another, you shouldn’t ignore this problem and take actions to fix it immediately.

COM Surrogate has stopped working

The said error typically occurs while browsing media files – videos or pictures stored on a computer. Typical issues causing the error are outdated drivers, false positive antivirus interruption, or disk errors.

COM Surrogate keeps popping up

Users on various Internet forums often discuss yet another persistent annoyance related to DLLHOST.exe. They report that COM Surrogate pop-ups and disappears or minimizes other programs for them. It typically happens every 5 or 10 minutes. There are several known fixes for this error, including disk error checking or updating codecs.

COM Surrogate asking for password

Some users have reported an issue related to Windows Security COM Surrogate asking for password for email. It can happen after manually shutting down the process. The first thing you should try if you’re dealing with this issue is to perform clean boot and see if you’re getting the prompt there. If you do not get the issue while in Safe Mode, it means that the issue is related to some third-party program. Otherwise, the issue might be related to outdated system version, wrong software installation bit-wise or other issue.

Methods to Fix COM Surrogate Errors

Method 1. Reset Internet Explorer

1. Open Run prompt by pressing down Windows key + R. Then, type inetcpl.cpl and press Enter.
2. Internet Properties window will appear. Go to Advanced tab and press Reset… button.
3. In the next window, confirm your choice by pressing Reset again.
   
4. Once the settings are reset, close the windows and restart your computer.

Method 2. Re-register DLLs

This method re-registers DLLs and thus can help to solve the issue with dllhost.exe. It is worth trying it.

1. In Windows search, type Command Prompt. Right-click the matching result and choose Run as administrator.
   
2. In UAC prompt, press Yes.
3. In Command Prompt, type the following command: regsvr32 vbscript.dll and press Enter. You will see a notification stating “DLLRegisterServer in vbscript.dll succeeded.”
   
4. Now, type regsvr32 jscript.dll and press Enter. You will see a notification stating “DLLRegisterServer in jscript.dll succeeded.”
   
5. Restart your computer.

Method 3. Rollback Display Driver

Another commonly discussed method that helps to fix COM Surrogate has stopped working error is rolling back your display driver. Here’s how to do it:

1. Launch Run prompt: press Windows key + R at the same time. Now, type hdwwiz.cpl and hit Enter.
   
2. Expand display adapters section by double-clicking it. Then right-click on your display adapter and choose Properties option.
   
3. Here, click on Roll back driver button and follow on-screen directions.
   
4. Restart your computer.

Method 4. Run sfc/scannow

SFC, a shorter version of System File Checker, is a Windows utility for scanning, detecting and repairing Windows system files. It can help you to solve various Windows issues, and might come in handy when dealing with COM surrogate issues.

1. In Windows search , type Command Prompt, then right-click matching result and choose Run as administrator.
2. Now, type sfc/scannow and press Enter. Wait until the scan is completed.
   

Method 5. Run Deployment Image Servicing and Management tool (DISM)

1. In Windows search , type Command Prompt, then right-click matching result and choose Run as administrator.
   
2. Copy the following command and paste it into Command Prompt window, then press Enter:
   DISM.exe /Online /Cleanup-image /Restorehealth
   
3. Restart your computer.

Method 6. Run a scan with antivirus software

To rule out the possibility that the process is hijacked by fileless malware, consider running a scan with a trustworthy antivirus. Our team recommends and trusts INTEGO Antivirus, although you can choose whichever AV brand you prefer.

We hope that this guide has provided clear explanation of what COM Surrogate and why it may cause high memory usage. If you have further questions or suggestions, do not hesitate and share them in the comments section below.